Microsoft Zero Trust Assessment Tool: The Free AI-Powered Security Audit That Exposes Every Gap In Your Tenant + Video

Listen to this Post

Featured Image

Introduction:

As organizations rapidly adopt generative AI tools within Microsoft 365, traditional perimeter-based security models collapse under the weight of non-human identities, API sprawl, and decentralized data access. Microsoft has responded by releasing two free, integrated capabilities: Security Baseline Mode and the Zero Trust Assessment (ZTA) Tool. These solutions enable security teams to continuously measure their tenant posture against Microsoft’s recommended configurations while leveraging AI to detect drift, misconfigurations, and exposure points before attackers exploit them.

Learning Objectives:

  • Deploy and interpret the Zero Trust Assessment tool to quantify your tenant’s maturity across identity, devices, data, and infrastructure
  • Enforce Microsoft Security Baseline Mode using PowerShell and the Microsoft 365 Defender portal to eliminate legacy permissive defaults
  • Automate continuous compliance monitoring through Graph API integration and custom reporting workflows
  • Identify common misconfigurations that bypass Zero Trust principles and remediate them with verified commands

You Should Know:

  1. Deploying the Zero Trust Assessment Tool via the Microsoft 365 Defender Portal

The Zero Trust Assessment tool is not a separate license—it is a free, native dashboard within the Microsoft 365 Defender portal that provides a real-time “ZTA score” (0–100%) across four pillars: identity, devices, data, and infrastructure. It maps directly to the Zero Trust maturity model published by Microsoft.

Step‑by‑step guide explaining what this does and how to use it:

  1. Navigate to https://security.microsoft.com and sign in with Global Admin or Security Admin privileges.
  2. In the left navigation, expand Endpoints or Assets (depending on tenant update rings) and select Zero Trust Assessment.
  3. The dashboard displays a percentage score. Below it, four cards represent Identity, Devices, Data, and Infrastructure.
  4. Click any card to drill down into specific control failures—for example, “Legacy authentication enabled” or “Unmanaged devices accessing Exchange Online”.

To export this data for auditing:

  • Use the Export button in the top ribbon to generate a CSV containing all failing controls and affected objects.
  • Alternatively, leverage PowerShell to pull the data programmatically (see Section 3).

This tool eliminates the guesswork of external assessments by pinpointing exactly which users, groups, or applications are violating Zero Trust policies.

  1. Enabling Security Baseline Mode to Lock Down Legacy Permissive Settings

Security Baseline Mode is Microsoft’s secure-by-default initiative that automatically reverts tenant configurations to Microsoft’s recommended security baselines unless explicitly overridden. It currently applies to Exchange Online, SharePoint Online, and Microsoft Teams, with additional workloads expected.

Step‑by‑step guide explaining what this does and how to use it:

  1. In the Microsoft 365 Defender portal, go to Settings > Microsoft 365 > Baseline.
  2. You will see a toggle for Security Baseline Mode.
  3. Enable the toggle and review the workloads listed. For each workload, Microsoft displays the settings that will be enforced (e.g., “Disable basic authentication”, “Block anonymous access”).
  4. If a specific department requires a legacy setting, click Add exception and target the exception to a specific security group or user.

To verify enforcement via PowerShell:

Connect-ExchangeOnline
Get-OrganizationConfig | Select-Object LegacyAuth, AllowAnonymous

If Security Baseline Mode is active, legacy authentication protocols should show as `False` and anonymous access should be disabled unless explicitly excepted.

  1. Automating Zero Trust Score Retrieval with PowerShell and Microsoft Graph

Manual checks degrade over time. To maintain continuous visibility, security engineers can script the retrieval of the Zero Trust score and failing controls using the Microsoft Graph API and PowerShell.

Step‑by‑step guide:

  1. Register an Azure AD application with API permission: SecurityActions.Read.All.
  2. Grant admin consent and generate a client secret.
  3. Use the following script to fetch the current ZTA score and failing controls:
$tenantId = "your-tenant-id"
$clientId = "your-app-id"
$clientSecret = "your-secret"

$body = @{
client_id = $clientId
client_secret = $clientSecret
scope = "https://api.security.microsoft.com/.default"
grant_type = "client_credentials"
}

$response = Invoke-RestMethod -Method Post -Uri "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token" -Body $body
$token = $response.access_token

$headers = @{Authorization = "Bearer $token"}

$score = Invoke-RestMethod -Uri "https://api.security.microsoft.com/api/zerotrust/score" -Headers $headers
$score.value | ConvertTo-Json

$failures = Invoke-RestMethod -Uri "https://api.security.microsoft.com/api/zerotrust/failingcontrols" -Headers $headers
$failures.value | Export-Csv -Path "ZTA_Failures.csv" -NoTypeInformation

Schedule this script via Azure Automation or a local task scheduler to generate daily compliance reports.

  1. Integrating Zero Trust Findings with SIEM/SOAR via Log Analytics

Raw telemetry behind the ZTA tool is available through the Microsoft 365 Defender Advanced Hunting schema. This allows security operations centers to correlate Zero Trust gaps with real-world incidents.

Step‑by‑step guide:

  1. In the Microsoft 365 Defender portal, select Advanced Hunting.
  2. Run the following KQL query to identify devices that have not been compliant with baseline policies in the last seven days:
DeviceInfo
| where Timestamp > ago(7d)
| where OnboardingStatus == "Onboarded"
| where IsCompliant == false
| summarize arg_max(Timestamp, ) by DeviceId
| project DeviceName, OSPlatform, LastSeen = Timestamp
  1. To send these results to Azure Sentinel / Microsoft Sentinel:

– Configure diagnostic settings on the Microsoft 365 Defender connector.
– Stream DeviceInfo, IdentityLogonEvents, and `EmailEvents` tables to a Log Analytics workspace.
– Build analytic rules that trigger when non-compliant devices access privileged roles.

  1. Hardening Non-Human Identities and API Permissions (The AI Attack Vector)

AI-driven threats often exploit over-privileged service principals and applications. The ZTA tool now flags “AI applications with excessive permissions” and “Apps using legacy authentication”. This is critical because Copilot and third-party AI tools inherit delegated permissions from users.

Step‑by‑step guide:

  1. In the Zero Trust Assessment dashboard, filter by Infrastructure > Applications.
  2. Review the list of enterprise applications with “High” risk signals.
  3. Use Microsoft Graph PowerShell to audit and restrict these apps:
Connect-MgGraph -Scopes "Application.Read.All", "Policy.ReadWrite.Authorization"
Get-MgServicePrincipal -All | Where-Object {$_.AccountEnabled -eq $true} | 
Select-Object DisplayName, AppId, Id, Tags
  1. To block legacy authentication at the conditional access level for all service principals:
Update-MgPolicyAuthorizationPolicy -DefaultUserRolePermissions @{
"allowedToUseSSPR" = $false
"permissionGrantPoliciesAssigned" = @("ManagePermissionGrantsForSelf.Microsoft_Managed")
}

This forces all API grants to require admin consent, blocking AI tools from silently harvesting user data.

  1. On-Premises and Hybrid Identity Remediation Commands (Windows Server)

Zero Trust extends to hybrid identities. If the ZTA tool flags “Stale accounts synced from on-premises”, immediate action is required on domain controllers.

Step‑by‑step guide for Windows Server:

1. Identify disabled or never-logged-on AD users:

Get-ADUser -Filter  -Properties LastLogonDate, Enabled | 
Where-Object { $<em>.Enabled -eq $false -or $</em>.LastLogonDate -lt (Get-Date).AddMonths(-6) } | 
Select-Object Name, SamAccountName, LastLogonDate, Enabled
  1. Disable sync for these accounts or soft-delete them:
Set-ADUser -Identity "username" -Enabled $false

3. Force Azure AD Connect delta sync:

Start-ADSyncSyncCycle -PolicyType Delta

For Linux-based identity management (if using third-party IdP bridging tools), use ldapsearch to audit:

ldapsearch -x -H ldap://your-dc -b "dc=domain,dc=com" "(objectClass=user)" | grep "sAMAccountName" | tail -20
  1. Continuous Validation: Simulating Zero Trust Attacks with Open-Source Tools

To validate that your ZTA score improvements are effective, simulate common attacks that exploit the gaps the tool identifies.

For Windows (simulating legacy auth brute force):

$url = "https://outlook.office365.com/EWS/Exchange.asmx"
$cred = Get-Credential
Invoke-WebRequest -Uri $url -Credential $cred -AllowUnencryptedAuthentication

If this succeeds despite Security Baseline Mode, your exception rules are too broad.

For Linux (testing SharePoint anonymous access):

curl -I https://yourtenant.sharepoint.com/sites/public/_layouts/15/start.aspx

If the response includes `200 OK` without a `Bearer` token requirement, anonymous access is not fully locked down.

What Undercode Say:

  • Key Takeaway 1: The Zero Trust Assessment tool shifts Microsoft 365 security from reactive patching to proactive posture management—but its real power lies in automation. Teams that manually review the dashboard once will fail; teams that script the API daily will succeed. The free cost is deceptive; it demands skilled engineering to operationalize.

  • Key Takeaway 2: Security Baseline Mode eliminates the “secure by default but permissive by legacy” paradox. However, exceptions must be managed with strict change control—each exception creates a blind spot that attackers can discover through tenant reconnaissance. Organizations should treat Baseline Mode as a non-negotiable floor, not a ceiling.

Analysis: Microsoft is effectively commoditizing what was previously a high-cost consulting engagement. The combination of a free scoring engine and automated enforcement arms even small security teams with enterprise-grade capabilities. The catch is that the tool only measures—it does not remediate without human or scripted intervention. Security teams must now transition from “auditors” to “automation engineers.” Those who treat ZTA as a one-time report will remain exposed; those who integrate it into CI/CD pipelines for tenant configuration will achieve continuous compliance. The AI threat lens is particularly prescient—many organizations are rapidly deploying Copilot without reassessing the delegated permissions of their users, creating a data exfiltration highway. The ZTA tool’s flagging of “AI applications” is Microsoft’s subtle warning: your AI adoption is outpacing your identity hygiene.

Prediction:

Within the next eighteen months, Microsoft will deprecate the standalone Secure Score and fully absorb it into the Zero Trust Assessment tool. Furthermore, we predict that baseline enforcement will expand to Purview compliance settings and Azure subscription-level policies, effectively creating a unified “ZTA-as-policy-engine.” This will force third-party CSPM tools to pivot from configuration assessment to configuration enforcement or become obsolete. The biggest shift, however, will be regulatory: insurance carriers will begin requiring a minimum ZTA score (likely 70%+) for cyber insurance eligibility, making this free tool the de facto standard for tenant risk underwriting. Organizations failing to automate their ZTA remediation today will face premium hikes or policy denials by 2026.

▶️ Related Video (74% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Jaimie Korik – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky